Mr Gonzalez used a technique known as an "SQL injection attack" to access the databases and steal information, the US Department of Justice said.
His corporate victims included Heartland Payment Systems - a card payment processor - convenience store 7-Eleven and Hannaford Brothers, a supermarket chain, the DoJ said.
According to the indictment, the group researched the credit and debit card systems used by their victims, attacked their networks and sent the data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.
The data could then be sold on, enabling others to make fraudulent purchases, it said.
Mr Gonzalez, who had once been an informant for the US Secret Service helping to track hackers, is already in custody on separate charges of hacking into the computer system of a national restaurant chain.
This latest case will raise fresh concerns about the security of credit and debit cards used in the United States, the BBC's Greg Wood reports.
Have you been a victim of identity theft? What is your reaction to this story? Send us your comments.
The BBC may edit your comments and not all emails will be published. Your comments may be published on any BBC media worldwide.
This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.
Bookmark with:
What are these?